My Bug Bounty Hunting Journey, Methodology and Tips XD

Image for post
Image for post

# Introduction

Hey guys and welcome to my very first blog on bug hunting!
I hope that this blog helps gets you started in bug hunting, I'm writing this blog so that it motivates other fellow hackers ;)
Also please share my blog with as many groups and people as you can. (so that it benefits other people too)

I hope this write-up teaches you something.
I was able to start off smoothly in bug hunting because I am generally interested in it, I used to read EBooks, blogs and watch videos in between of my school classes because they were just boring, I currently have my exams going on throughout December and yet I am hunting and writing a big blog because I care about hacking and its community!

If you want to ask anything related to hacking or my blog or anything please feel free to hit me up on my Twitter !
All resources mentioned in this write-up are given in the end.

#Note: **Bug Hunting is not easy it requires time, effort and the most it requires is Patience**

PS — This is gonna be a long one, so get comfortable :)

In this blog I will tell you 6 things:

  • Timeline
  • How I got started
  • My Journey
  • My Methodology
  • Few tips and tricks to get started :)
  • A few resources that have helped me grow

##Timeline
Ethical Hacking (June-August)
Bug Hunting (August-Till date XD)
First Bug (25th November)
Second Bug (3rd December)

##How I got started
> No one is born to hack, you have to learn and hack.
Hey fellow hackers my name is mrsinister
I am 15 years old and I am currently in the 10th grade.
I did not know anything about computers and all, but then because of
the spread of Covid-19 all school classes shifted to online classes on zoom meetings.

For the sake of attending my online classes, I bought a computer.
Then one day I was watching a youtube video and that video got interrupted by a very interesting ad, I usually just skip ads but I didn't skip this one.
It was a guy saying “Do you want to learn ethical hacking?” then he demonstrated How to get complete access over another computer and access the webcam.

And then I was like “I gotta learn this!”
So I took the course that the guy was offering in the ad. That course basically changed my life!

I didn't straight away dive into Bug Bounty Hunting, first I learned the basics of Python, Network Security, and Ethical hacking.

Then one day I got to know about something called *Bug bounty hunting*
I read blogs and watched videos on other people’s success and how this could be a career option for you.

Then I started to learn bug bounty hunting by taking a course for Bug bounty hunting.
**TIP:**You can’t learn Bug hunting by just sitting awkwardly watching videos and reading blogs! You need to practice as you learn!
I practiced everything that I learned on DVWA, bWAPP, and Portswigger Labs(all of these are free and legal environments to test on )

This was how I got started :)

#My Journey
**Fact**-I started to **Learn** bug hunting in July 2020 (just 4 months from now ;)

Now when I finished the course that I bought, I thought that now I am ready to find bugs and get paid for that!

But I was wrong, oh so so wrong…
I Quickly registered on HackerOne and started to look for bugs on any random program.

A beginner obviously can’t expect to get Crits as their first bug, I was no exception. I think that it is the part of the Journey to fail and get demotivated in Bug Hunting, but it is also the part of the Journey to **NEVER** give up.

Image for post
Image for post
Me in Bug Hunting when I first started

PS — The above reports were closed as N/A because they were — out of scope, FP, FP and Don’t care 😂

The first-ever bug I reported on Hackerone was email-spoofing. What do you think happened to that? Yes, you’re right it got closed as N/A by the triager because it didn't have any security impact. This made me so MAD and SAD at the same time…

But still, *I didn't give up*

I looked for more and more bugs, I reported more and more stuff but all of my reports got closed as N/A or Informative. I have had multiple burn-outs so I have even taken a week off hacking. (No big deal)
Burn-outs happen to everyone, but when they happen to you, please don’t quit bug hunting you just need some time to refresh your mind XD

But then one day I was testing on a program, to protect the program’s privacy let’s call it example.comnow, example.com was vulnerable to MITM attacks.

Here is how I found that out —

I just had 4 months of experience in bug hunting, so I was a newbie.
I fired up Burp Suite and started to intercept requests and find “Bugs”.

Then I made a request to login and when I entered my credentials I saw that I can see my credentials clearly in Burp, without any form of encryption… Strange…
I just thought that this might be a small authentication bug i.e. *Plaintext storage of credentials*!

To confirm this issue I fired up Kali Linux and ran a simple tool called **bettercap** which is a tool for MITM attacks. Then I saw the login request in the terminal I saw that the username and the password were not encrypted even though the website uses HTTPS protocol.

Then I didn’t think much and reported it… Then this bug got triaged 2 months after reporting it(It was a low-finding so example.com forgot to review it) I thought that just because I have a low signal and low reputation they won’t even review my report? So I felt bad and I self-closed this after a week of no response from the program. Then two months later when I was just checking my emails, I got an email from the program apologizing and with a bounty!
I was so happy that I got my first bug bounty, I told everyone and they were pretty proud of me :)

Now About the second bug which I found and reported in December 2020 (This one had a little more impact than the previous one) it was *Admin Panel exposure without any form of Rate-Limit protection*

After getting my first bug bounty, I thought now I'm on the go, and I should not stop. So basically time to find another bug!

Now since this bug has not been resolved yet, I will respect the program’s policy and will call it, redacted.com .

I was going through the *Directory* tab in HackerOne, and then I chose a VDP i.e. redacted.com because I wanted some reputation on HackerOne so that I can get private invites XD

This program had scope means all domains owned by them are in scope. This gave me an adrenaline rush!

I used amass to find ASN keys and then to look for subdomains.
Everything was going well, My custom-bash script is doing its thing and I am relaxing in my chair watching hacking videos, life’s great XD.

Then when my script gave me the results of the resolved-subdomains, I saw a subdomain that shocked me because it was a second-level deep subdomain that was resolved! ( second.leveldeep.redacted.com )

Then I quickly went to take a look at the subdomain, then the page didn’t load so I thought that my script gave me a False Positive :(

But still, i didn’t give up on that subdomain, I used a VPN to see if it works in other regions of the world, and yes it loaded!
But wait it was not so easy to find the admin-panel, that subdomain said *You have reached an incorrect site path. Please correct to continue.* hmm fishy…

I understood what it meant, so I started to FUZZ for directories :)
And now thank god that I used the right wordlist(dirb’s big.txt)
Because I found a directory called AdminTools/ when I saw that FFUF gave me a status 200 code for AdminTools/ I felt that I might have found something.

So when I went to this path — second.leveldeep.redacted.com
I found the admin panel!

Image for post
Image for post

Then I thought that this has no impact and reporting this would only cut my reputation on HackerOne. But then I thought of the first thing someone should do when you come across an admin-panel! Yes, that’s right, test for rate-limiting!

I quickly did the test and it wasn't there, and now I got a report to write :)
My report got triaged in 3 hours after submission :)

These were the two bugs that I found.

##My Methodology

Image for post
Image for post

Please remember this is a hacking thumb-rule that -
> Recon is the **MOST** Important phase of bug hunting.

Recon in the first 2 months of Bug hunting:

Now that I got that in mind, I thought okay let’s do recon!
I just went to google and searched “Recon tools Github” 🤣🤣
What a skid I was!

So I cloned some Github repos, and just started to run them ;)
Then I noticed that I was not really getting anything :(

So I thought that let’s quit this stupid skiddy attitude and let's make a tool of my own!

As mentioned above in this article i learned ethical hacking and Linux and networking before bug hunting, So obviously i was more than comfortable with bash.

So I planned on making a recon tool in bash that automates my recon so that I can chill in the background or do some other tasks.

About my tool(maybe you can get an idea to build a similar tool):

My tool is called - Bandit
So basically I just feed it my target wildcard domain and it does the following with the target and puts the output in different txt files XD:

PS — This is not my entire recon this is just the automated part of it, other than this I do use some open-source tools to do scanning like FFUF, WFUZZ, SubOver, Subjack and I figure out and understand the target web app using Burp Suite. I also do Github Dorking and Google Dorking.
After this, I analyze the recon data that I got.

Image for post
Image for post
This is my progress after 4 months in bug hunting

##Tips and tricks

  1. Please remember that **NO** program is perfect…..
    If you’re a beginner I think you can get your first bug easily if there is less competition. But I'm not saying that you can’t find bugs where there is a big competition, of course, you can and I hope you will. But there is a big chance that when you find your first bug on a target it gets duped. And when you know that you found a bug which is valid but the other person found it first and reported it before you and got the bounty or reputation which you could have gotten only if you were fast enough and more accurate. Trust me that can be the worst feeling or not such a bad feeling.
    I am saying this with experience. A week ago after getting my first bug, I dived into bug hunting more deeply, searching for bugs :)
    It's that time when I found a valid Subdomain takeover(Unbounce pages) possible on a private program! I got super excited and reported it!
    And guess what?… It got duped :(
    Ok at this point I got a very bad feeling which demotivated me…
    I got added to the original report. That guy reported this issue a week before me! But this was not in my hands because I got the invite 3 hours before finding and reporting the STO.
    A week went by and one day I went in that report which the other guy had reported only to see that they triaged it, resolved it, and gave him $1000!
    I didn’t feel bad this time(honestly because I got 2 rep because when you report a dupe and the dupe gets triaged that's what you get ;)
    Jokes apart, I didn't feel bad because I now realized that I am as skilled as that guy, it's his luck that he got invited into the program before me. “I found a valid bug, I was just not fast enough.”
    You will definitely get duplicates in your journey, but you should not feel demotivated by them. You should believe what I believed and move on and find another bug!
  2. Another tip would be to pick a program and just stick with it for at least a month, and if you find a bug on it before the end of the first month, please don’t leave that target, keep on hacking on it till you find another. This is the way of hacking on a target.
  3. Read blogs and watch videos regularly.
  4. Learn about as many bugs as you can to expand your brain’s bandwidth! So that if you encounter them in the wild you will at least know that you found it, and maybe escalate it to build some more impact XD
  5. While learning and practicing about different bug classes, I think it is normal to like a few bugs. Those bugs will be your strength!
    **I always test for these while I’m hacking on a program**

##Resources that have helped me grow
1) Youtube channels:
(i)InsiderPhD
(ii)Nahamsec
(iii)Stok
(iv)thexssrat
(v)NetworkChuck

2) Twitter accounts:
(i)InsiderPhD
(ii)Nahamsec
(iii)Stok

3) Discord Servers:
(i) InsiderPhD’s server — https://discord.gg/YhPmNqPz
(ii)Bounty Hunters— https://discord.gg/bugbounty
(iii)Infosec Community — https://discord.gg/VfUczd4G

4) Udemy(PS — these courses are all under $10):
(i)Python course for starting from basics — https://www.udemy.com/course/the-python-mega-course/
(ii)Python Course for intermediate people — https://www.udemy.com/course/learn-python-programming-a-step-by-step-course-to-beginners/
(iii)Ethical hacking from scratch — https://www.udemy.com/course/learn-ethical-hacking-from-scratch/
(iv)Basics of Bug hunting and explanation of different vulnerabilities — https://www.udemy.com/course/learn-website-hacking-penetration-testing-from-scratch/
(v)Another Bug hunting course — https://www.udemy.com/course/bug-bounty/

5) Books:
(i)Web app hacker’s handbook 2nd Edition
(ii)Web app hacker’s handbook 1st Edition
(iii)Web Hacking 101
(iv)Bug bounty hunting essentials
(v)Hacker’s playbook

Thanks for reading my blog… (oof it took me more than an hour to write this)

If you made it this far, then congrats because I’m sure you learned a thing or two!

Regards,

mrsinister15

Written by

Don't hate the hacker, hate the code.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store